The Iranian state-sponsored risk actor tracked beneath the moniker Lyceum has turned to utilizing a brand new customized .NET-based backdoor in current campaigns directed in opposition to the Center East.
“The brand new malware is a .NET based mostly DNS Backdoor which is a custom-made model of the open supply instrument ‘DIG.internet,'” Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar stated in a report printed final week.
“The malware leverages a DNS assault approach known as ‘DNS Hijacking’ during which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious necessities.”
DNS hijacking is a redirection assault during which DNS queries to real web sites are intercepted to take an unsuspecting consumer to fraudulent pages beneath an adversary’s management. Not like cache poisoning, DNS hijacking targets the DNS report of the web site on the nameserver, moderately than a resolver’s cache.
Lyceum, also referred to as Hexane, Spirlin, or Siamesekitten, is primarily identified for its cyber assaults within the Center East and Africa. Earlier this 12 months, Slovak cybersecurity agency ESET tied its actions to a different risk actor known as OilRig (aka APT34).
The newest an infection chain entails the usage of a macro-laced Microsoft Doc downloaded from a site named “news-spot[.]reside,” impersonating a official information report from Radio Free Europe/Radio Liberty about Iran’s drone strikes in December 2021.
Enabling the macro leads to the execution of a malicious code that drops the implant to the Home windows Startup folder to ascertain persistence and guarantee it routinely runs each time the system is restarted.
The .NET DNS backdoor, dubbed DnsSystem, is a reworked variant of the open-source DIG.internet DNS resolver instrument, enabling the Lyceum actor to parse DNS responses issued from the DNS server (“cyberclub[.]one”) and perform its nefarious targets.
Along with abusing the DNS protocol for command-and-control (C2) communications to evade detection, the malware is supplied to add and obtain arbitrary information to and from the distant server in addition to execute malicious system instructions remotely on the compromised host.
“APT risk actors are constantly evolving their ways and malware to efficiently perform assaults in opposition to their targets,” the researchers stated. “Attackers constantly embrace new anti-analysis methods to evade safety options; re-packaging of malware makes static evaluation much more difficult.”
